If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Re: Standard Activity vs Malicious Activity

FWIN means ZA-Pro blocked it all as it's its normal habit

Are you using NetView LAN manager?
Do you run a web server?
Do you/did you run p2p software or some sort of instant messaging?

Few addresses are Latin America - Argentina telephone, Brazil, Marocco, China and others.
Most of it sounds to me really like just internet noise you're picking up if you're just a normal user with normal applications (no web servers, p2p).
Noise is from Argentina telephone, Brazil, Marocco, China and others.

Get a router. It'll stop all this. You'll then see next to nothing in the ZA logs. Routers are cheap. And the government wants us to buy to improve economy

Re: Standard Activity vs Malicious Activity

I'm not running anything out of the ordinary. I do my fair share of networking related habits (mIRC, file serving, sometimes setting my computer up as a server, P2P, Trillian) but it's basic average computer user (who knows computers) stuff.

What got me even started on this 'paranoia' is that I was seeing my router log showing DOS attacks (nothing major, just every so often during the day it'd show up in the log). There was a repeated pattern of certain IP's, but it wasn't constant (as if it was an infected computer and the pattern was the owner having it on/off). The hits to the log also weren't indicative of a major attack (it'd show a few hits over the course of 10 minutes and then nothing for hours). Also, I never lost internet, even during periods where I was online (say in WoW where I'd notice loss of internet) and the log showed it blocking stuff.

Further, every now and them, my internet seems a bit **bleep**py (speed was fine, but a ping to Google would be spiky (normal is 50ms; spiky is it jumping to 100+ a lot)).

So yeah, just started to get paranoid so disconnected from the router and hooked straight to the modem. I just don't have a comparison with Zone Alarm to determine what's normal activity in the log and what's abnormal activity.

I can't find ANY abnormal issues on the computer (nothing is triggering ZA, I can't find anything in services/processes/startup/etc, and I can't see any abnormal netstat (I think that's the one.. I use a program called TCP View) connections).

Re: Standard Activity vs Malicious Activity

Yes normal connection attempts seen when a computer is directly facing the internet.

To decipher the list....
lets look at the very first entry in your presented list...
first look at the attempts made on your IP's own ports (not the sending port or the foreign IPs port).
Thus 66.25.55.84:45735 is the main interest and the port 45735 is the port to look at to decipher the events.

Now look here for the associated service or daemon related to the at port:

Well we now see 45735 is unassigned or in other words, a private or unknown use.
Looking at the other ports attempted at your IP we can see things such as 22 (ftp data from servers) or 5900 (a vnc server access port) or port 80 (server connection using http) or 1434/1433 (ms msq or ms server ports) or port 25 (mail port) and so forth and so on.

Nothing really unusual with these ports connection attempts as this is basically the normal internet traffic, where servers are often looking for related or associated servers. Nothing to really be concerned about in this sense.

Another section of the log to look at and examine are the 'Flags'.
Two examples seen in the looks are S and AS.
"S" means "synchronize" (or initial incoming connection attempt)and "AS" means "acknowledge synchronize" (or rush this synchronizing attempt).
The best explaination for the flags are by reading up on these:

Besides the usual TCP and the one UDP protocols seen in your list, there is alos listed the ICMP ..namely 'type 8' which is officially called Echo or Echo Request and usually just referred to as 'ping'.
Not unusual to see servers and computers pinging other servers and computers.
In any case these too were dropped by the ZA firewall.

Looking at the ipv4 address space list we can see where IP fall into the different regional registries:

'IANA' are reserved address spaces (or non internet addresses)
'AFRNIC' is Africa and other nearby regions.
'ARIN" is Amercian rgistry.
'RIPE' is the European registry.
"APNIC" is Asia and Pacific registry.
'LACNIC' is Latin America and Caribbean registry.

and so forth and so on.

The ipv4 address list gives only a general idea as to where the IP is listed, not a direct url or domain name.
By using the nslookup.exe of windows we can usually quickly find the domain name associated with an IP.
Open the command prompt and type in nslookup.
Then leave a space and type in the IP.
Now press the Enter Key of the keyboard.

Note: I used copy and paste instead of manually typing in the IP into the command - less work and it is more accurate.

The ipv4 address space list shows that the 190.x.x.x addresses are in the Latin America and Caribbean.
The speedy.com.ar result obtained from the command' nslookup shows the site is a provider/host server in South America and the ".ar" following the .com in the url indicates the TLD is Argentina.
Thus it is an IP based from an argentinain host/provider.

Re: Standard Activity vs Malicious Activity

Re: Standard Activity vs Malicious Activity

Hi Oldsod,
Sorry for being late here to fix the link and then not see you already did it!

I thought Hoov's ICMP list is nice to look at so is a good reference.
What caught my attention were local ports 80 and 6000. No concern, eh? I know ZA blocked. So these also just look like fishing expeditions by those other IPs?

I like those 'direct to the internet, no router' experiments. They kinda tell you the firewall is working. Otherwise the logs are quite blank

Re: Standard Activity vs Malicious Activity

To zaswing:

The connections attempts to the computer's port 80 would not be strange or unusual for normal connection attempts to a server of the 'web.
Every home computer almost always connects to the remote port 80 of a server.
The port 6000 is not unusual either - some computers will 'network' using the x windows systems and this is the required port for those networking events.